Nils Rennebarth
2025-Aug-14 11:52 UTC
Location of socket for agent forwarding on remote machine configurable?
Hi, The "ForwardAgent" configuration item documented in ssh_config(5) allows to forward a different agent socket to the remote machine than the one whose path is contained in the environment variable SSH_AUTH_SOCK. But on the remote machine, sshd.c creates another socket, that it listens on, as long as the ssh session is running, and proxies all requests to the origniating agent, right? Is it possible to configure the location of the agent socket on the remote machine, or is that location hardcoded to /tmp/ssh-XXXXXXXXXXXX/agent.<pid>? Background for the question is that I use a build host on a remote machine. I ssh to the machine and then reconnect to a long running tmux session where I do my development things. During the build I need access to my ssh keys on the originating machine, which is why I use ssh's ForwardAgent option (I can trust the remote machine). But the build also needs to happen in a chroot environment, which of course has no access to the real /tmp directory on the remote machine, where the forwarded agent socket lives. My current workaround is, to run a socat process on the remote machine, that proxies between a socket inside the build chroot and the one in /tmp where sshd listenes and again proxies it to my local machine, but it would be much easier to just tell sshd on the remote machine to open its socket inside the build chroot. Best regards, Nils -- Dipl. Math Nils Rennebarth Senior Software Developer Division Public Authorities secunet Security Networks AG Tel.: +49 201 5454-3976, Mobil: +49 174 9750449 E-Mail: nils.rennebarth at secunet.com Neue Br?cke 3, 70173 Stuttgart www.secunet.com ______________________________________________________________________ Sitz: Kurf?rstenstra?e 58, 45138 Essen, Deutschland Amtsgericht Essen HRB 13615 Vorstand: Marc-Julian Siewert (Vors.), Torsten Henn, Dr. Kai Martius, Jessica Nospers Aufsichtsratsvorsitzender: Dr. Ralf Wintergerst ______________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250814/61a71378/attachment.asc>
Damien Miller
2025-Aug-15 04:59 UTC
Location of socket for agent forwarding on remote machine configurable?
On Thu, 14 Aug 2025, Nils Rennebarth wrote:> Hi, > > The "ForwardAgent" configuration item documented in ssh_config(5) allows to > forward a different agent socket to the remote machine than the one whose path > is contained in the environment variable SSH_AUTH_SOCK. But on the remote > machine, sshd.c creates another socket, that it listens on, as long as the > ssh session is running, and proxies all requests to the origniating agent, > right? > > Is it possible to configure the location of the agent socket on the remote > machine, or is that location hardcoded to /tmp/ssh-XXXXXXXXXXXX/agent.<pid>?More recently (OpenSSH-10.0) both sshd and ssh-agent listen under ~/.ssh/agent/ but for sshd the path is not configurable.> Background for the question is that I use a build host on a remote machine. I > ssh to the machine and then reconnect to a long running tmux session where I > do my development things. During the build I need access to my ssh keys on the > originating machine, which is why I use ssh's ForwardAgent option (I can trust > the remote machine). But the build also needs to happen in a chroot > environment, which of course has no access to the real /tmp directory on the > remote machine, where the forwarded agent socket lives. > > My current workaround is, to run a socat process on the remote machine, that > proxies between a socket inside the build chroot and the one in /tmp where > sshd listenes and again proxies it to my local machine, but it would be much > easier to just tell sshd on the remote machine to open its socket inside the > build chroot.It sounds like the recent move to being under the user's home directory might possibly have solved your problem, or at least made it simpler.
Roumen Petrov
2025-Aug-15 07:18 UTC
Location of socket for agent forwarding on remote machine configurable?
?? 14.08.25 ?. ? 14:52, Nils Rennebarth ??????:> Hi, > > [SNIP] > > Is it possible to configure the location of the agent socket on the > remote machine, or is that location hardcoded to /tmp/ssh-XXXXXXXXXXXX/ > agent.<pid>?This depend from view point. One group of developers prefer hard-coded values, for instance: a) OpenSSH $ fgrep /tmp/ *.c auth-krb5.c: "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); misc.c: r = snprintf(s, len, "/tmp/ssh-XXXXXXXXXXXX"); session.c: auth_info_file = xstrdup("/tmp/sshauth.XXXXXXXXXXXXXXX"); $ fgrep TMPDIR *.c misc.c: if ((tmpdir = getenv("TMPDIR")) != NULL) { ssh-agent.c: * in $TMPDIR. Others like my prefer to avoid hard-coded values, for instance: b) PKIX-SSH $ fgrep TMPDIR *.c auth-krb5.c:{ const char *tmpdir = getenv("TMPDIR"); misc.c: * environment variable TMPDIR. misc.c: tmpdir = getenv("TMPDIR"); misc.c: if ((tmpdir = getenv("TMPDIR")) != NULL) { session.c: COPY_ANDROID_ENV("TMPDIR"); with fail back to /tmp. $ fgrep /tmp/ *.c misc.c: r = snprintf(s, len, "/tmp/ssh-XXXXXXXXXX"); Side effect daemon could be run in Android application.> > [SNIP] > > Best regards, NilsRoumen